Wednesday, April 2, 2014

Phishing For Suckers of the Mac User Variety


Over the past couple weeks, there has been an all out effort to phish-for-suckers, especially Mac user suckers. I received one of these phishing emails myself!

Here is what it looks like:
From: Customer Support <>
Subject: Update Your Account
Date: March 31, 2014 6:30:20 AM EDT
To: blah@blah.blah
Reply-To: Customer Support <>
Dear Customer, 
We have recently updated our website database and new security feature has been added for effective order and shipping. Please Click, to update your account information within 24hours.  
Apple Team
I have altered the source email address ;-) and removed the hidden URL linked to ''.

How To Detect Phishing URLs

Using Apple Mail, the quick and easy way to check if the link in a suspect email his bogus is to hover your Mac's cursor over the URL found in the email. The result is that the ACTUAL URL appears on screen. Then you can see if they match. If they don't, you know you're being Phished. Here I have applied this method to the Phishing example above. Click on the image to enlarge it for viewing:

Here you can see the cursor hovering above (not clicking on!) the link in the phishing message. The yellow box appears below your cursor, containing the ACTUAL URL hidden beneath the FAKE URL. In this case I can see that the fake link does NOT go to Apple at all. Instead it goes to some unknown server in another country (.nl refers to the Netherlands). I've grayed out most of the actual link for your protection.

When you discover a secret URL deviating from and hidden behind a fake URL label, you know you're being phished. Needless to say, DO NOT click the phishing link!

How Are Secret URLs Hidden Behind Fake URLs?

Here is the HTML command being used by the phishing rats:

"<A HREF="URL" TARGET="_blank">TextOfLink</A>"

Ignoring the coding details, there are two important parts of this command:

1) The actual URL. I have placed the word URL above where the actual URL is placed into the command. For Apple, that could be "", placed within the quotes.

2) The Text Label For The URL. I have placed the phrase TextOfLink above where the text label is placed into the command. For Apple, that could simply be 'Apple' without quotes.

Where this command becomes dangerous is through the use of a URL as your text label. This is allowed! It's clearly a fault of HTML coding. For example, instead of using 'Apple' as the text label I could use anything I like, such as ''. In this example, someone would think they are going to '' but they're actually being sent to

Here are a couple code examples:

'You can visit Apple by going to!'

'You can verify your Facebook password by going to!'

The 'Real' link really goes to Apple. But the Phishing link does NOT go to Facebook! In this example, it also goes to Apple. But I could make it go ANYWHERE on the Internet I liked, while still fooling you that it goes to Facebook.

When you arrive at a phishing website, it has been setup to 'appear' to be real. This can be done by stealing all the graphics and design of the original website, such as Facebook, then uploading it to the faked phishing website. It looks like Facebook! But it's NOT Facebook. Having suckered you there, the phishing rats can then ask you to 'LOG IN' to your account. You log in, you believe. But they have just stolen your ID and password. You've been successfully phished.

Phishing websites can ask you ANYTHING. What's your birthday? What's your credit card number? What's your card's secret code? What's your maiden name? Where do you live? Etc. If you hand them the data, they abuse you. Typically, people's identities are sold to other rats who want to steal from you or pretend to be you for nefarious purposes. That's bad.

Further Details About Mac User Phishing

Topher Kessler, formerly of MacFixIt (which CNET has discontinued) has set up a new website for helping Mac users: He has an excellent article covering further details of the ongoing phishing of Mac users:

New phishing attempt mimics Apple support

You'll find that Topher uses the same example I provided above, which is helpful for understanding what's going on. He has also provided further illustrations. Thank you Topher!



No comments:

Post a Comment